Prudent Devs

Using dep, the Golang dependency management tool

A concise guide to dep, the golang's dependency management tool.

In developing software products, we rely on solutions created by others. These could be libraries, frameworks, and packages. Every language has its own mechanism to deal with such 3rd party dependencies. dep is Golang’s dependency management tool.

golang dep tool

You can use dep for both new project and existing projects. In this article, I’ll assume you are starting a new project. You start with an init command issued from within the new project folder.

dep init

This will create .lock and .toml files and a vendor folder. Your project folder should look like this now.

├── Gopkg.lock
├── Gopkg.toml
└── vendor

If you open .lock file, you will see this as the first line:

# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.

That is right. dep autogenerates this file. It has the exact versions of your project’s dependencies and their dependencies. What is the advantage of this?

Before dep, the way to install dependencies in golang is to use go get…. get always fetches the latest version of the package. If there is a new release of the dependency, then your program may or may not work. dep solves this problem with the .lock file.

As long as the dependencies follow semver to tag their releases, your project will always compile because dep will always fetch the exact version of the dependency.

The dependencies can be added or edited in the .toml file. But you don’t have to do it manually. dep helps here.

You can install dependencies using dep ensure. When you install using dep ensure, it adds the dependency in .toml file and modifies the .lock file automatically.

Let us try to install a new dependency.

$ dep ensure -add
no dirs contained any Go code

You are seeing no dirs contained any Go code because this is a new folder without any code. Add a main.go file.

package main

func main() {

Now if you try it will install. But it throws the message:

"" is not imported by your project, and has been temporarily added to Gopkg.lock and vendor/.
If you run "dep ensure" again before actually importing it, it will disappear from Gopkg.lock and vendor/.

This is ok. It says you have not used this new dependency in your code. Now let us look at .toml file.

# Gopkg.toml example
# Refer to
# for detailed Gopkg.toml documentation.
# required = [""]
# ignored = ["", ""]
# [[constraint]]
#   name = ""
#   version = "1.0.0"
# [[constraint]]
#   name = ""
#   branch = "dev"
#   source = ""
# [[override]]
#  name = ""
#  version = "2.4.0"

  name = ""
  version = "1.9.2"

All the initial lines are comments indicating how dependencies should be mentioned in .toml file. In most cases, you will mention a [[constraint]] with path and version of the dependency.

In fact, you don’t even have to edit the .toml file. Say you want to use the latest version of the dependency as of you start coding your application. You simply import the dependency in your code, like below:

import ""

Then in the command line, issue dep ensure. It will install the latest release in vendor folder and modify .lock file.

You can know the status of each dependency by issuing dep status. It will list out the version used in your application and the latest version released by the developer.

PROJECT                   CONSTRAINT  VERSION  REVISION  LATEST   PKGS USED  ^1.9.2      v1.9.2   bf5c562   bf5c562  9

If there is a newer version and you want to update it, you can issue dep ensure -update <dep>. If you want to update all the dependencies you can issue dep ensure -update.

What if you want to remove a dependency?

Just remove it from the import and run dep ensure. dep will do the magic. It will remove the entry from .lock and remove the dependency from the vendor folder.

It goes without saying that you should commit .toml and .lock file in your code repository. Should you check-in vendor folder? It is debatable.

The whole purpose of dep is to recreate usable vendor folder. So you don’t have to check-in. But it doesn’t hurt to check-in. I check-in the vendor folder.

Published On:
Under: #code , #golang , #beego
Sign up for my newsletter